RISKS-LIST: Risks-Forum Digest Sunday 28 February 2010 Volume 25 : Issue 95 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.95.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Backlogged] Growing Threat to GPS Systems From Jammers (Jerry Leichter) Sat-nav systems under growing threat from 'jammers' (Amos Shapir) More on Risks of EMV Legacy Compatibility (Anthony Thorn) Self-Signed Certificates Strike Again? (Bob Gezelter) Facebook friended, boyfriend offended, tragically ended (John Linwood Griffin) Google: Serious threat to the web in Italy (Monty Solomon) Fault-Tolerance as a Risk (Gene Wirchenko) School District Spying on Students at Home? (Gene Wirchenko) A Message from Ric Edelman about data lost (fjohn reinke) Nationwide Technetium shortage: coinciding reactor failure/maintenance (Richard I. Cook) IEEE Symposium on Security and Privacy: 30th anniversary (David Evans) FOSE 2010 (Kalin Tyler) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 25 Feb 2010 20:44:03 -0500 From: Jerry Leichter <leichter_at_private> Subject: Growing Threat to GPS Systems From Jammers The BBC reports (http://news.bbc.co.uk/2/hi/science/nature/8533157.stm) on the growing threat of jamming to satellite navigation systems. The fundamental vulnerability of all the systems - GPS, the Russian Glonass, and the European Galileo - is the very low power of the transmissions. (Nice analogy: A satellite puts out less power than a car headlight, illuminating more than a third of the Earth's surface from 20,000 kilometers.) Jammers - which simply overwhelm the satellite signal - are increasingly available on-line. According to the article, low-powered hand-held versions cost less than £100, run for hours on a battery, and can confuse receivers tens of kilometers away. The newer threat is from spoofers, which can project a false location. This still costs "thousands", but the price will inevitably come down. A test done in 2008 showed that it was easy to badly spoof ships of the English coast, causing them to read locations anywhere from Ireland to Scandinavia. Beyond simple hacking - someone is quoted saying "You can consider GPS a little like computers before the first virus - if I had stood here before then and cried about the risks, you would've asked 'why would anyone bother?'." - among the possible vulnerabilities are to high- value cargo, armored cars, and rental cars tracked by GPS. As we build more and more "location-aware" services, we are inherently building more "false-location-vulnerable" services at the same time. -- Jerry ------------------------------ Date: Wed, 24 Feb 2010 17:54:47 +0200 From: Amos Shapir <amos083_at_private> Subject: Sat-nav systems under growing threat from 'jammers' "While "jamming" sat-nav equipment with noise signals is on the rise, more sophisticated methods allow hackers even to program what receivers display. At risk are not only sat-nav users, but also critical national infrastructure." Full story at: http://news.bbc.co.uk/1/hi/sci/tech/8533157.stm [This risk noted by several others as well.] ------------------------------ Date: Tue, 23 Feb 2010 09:27:28 +0100 From: Anthony Thorn <anthony.thorn_at_private> Subject: More on Risks of EMV Legacy Compatibility (Magda, RISKS-25.94) Recently Ross Anderson's group has published a new and very serious vulnerability in the "Chip & Pin" (EMV) authentication used by many -probably most- credit and debit card issuers world wide. Very briefly: "The attack uses an electronic device as a "man-in-the-middle" ... ... the terminal thinks that the PIN was entered correctly, and the card assumes that a signature was used to authenticate the transaction." The paper: http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf The FAQ http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/ The BBC Video http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html The risk: Providing "legacy compatibility", in this case with signature based authentication, always involves additional risk and requires special attention. (Acknowledgment to Bruce Schneier's blog) ------------------------------ Date: Tue, 23 Feb 2010 07:03:33 -0500 From: Bob Gezelter <gezelter_at_private> Subject: Self-Signed Certificates Strike Again? CNN has posted an item: "Elvis Presley passport exposes security flaw" (Atika Shubert, 2010-02-23) relating an interview with Adam Laurie and Jeroen Van Beek, two self-described "ethical hackers" who created a forged passport in the name of Elvis Presley from a non-existent country. According to the article, the passport was accepted by an automated scanning machine, even though it was signed by what amounted to a self-signed certificate. Laurie is quoted as saying that many countries do not share sufficient information for others to authenticate the digital signatures. The article can be found at: http://www.cnn.com/2010/TECH/02/19/passport.security/index.html The need for commonly accepted higher level certification authority or authorities is a well-understood part of such digital signature authentication schemes. It is disturbing that such a registration or acceptance feature, common to all web browser security implementations, has not been internationally accepted, despite the fact that the infra-structure is already in place in a number of international organizations (e.g., IPU, ITU-T [formerly CCITT], and others). - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Thu, 25 Feb 2010 14:49:21 -0500 (EST) From: John Linwood Griffin <griffin2_at_private> Subject: Facebook friended, boyfriend offended, tragically ended The independent newspaper *City Paper* runs a weekly column, "Murder Ink", that provides coverage of homicides here in Baltimore City, Maryland. A computer-related murder on February 17, 2010, caught my eye: > Two men got into an argument with Couther's aunt over a Facebook page. > Couther went into the living room to help his aunt and ended up arguing > and then fighting with one of the men [resulting in Couther's throat being > slashed] [...] Couther died at a local hospital an hour later. Montaize > Alford [was] arrested and charged with Couther's murder. According to > [Stephen Janis of investigativevoice.com], the aunt was being beaten by > her boyfriend because a man "friended" her on Facebook. http://www.citypaper.com/news/story.asp?id=19818 (Anna Ditkoff writing in *City Paper* volume 34 number 8, page 8, February 23, 2010) Peter Hermann of *The Baltimore Sun* corroborates the Facebook angle on his blog, citing police detective Michael Moran's charging documents: > [Couther's aunt] Begett had returned from work and was sleeping on her > sofa when Alford called her on her cell phone at about 2 a.m. and started > arguing with her about a male friend on her Facebook page [...] Begett > hung up on Alford and moments later he showed up at her home and entered > using a key. He began assaulting her [then] Couther and Alford began > fighting [resulting in] a large laceration to [Couther's] neck which was > bleeding profusely. http://weblogs.baltimoresun.com/news/crime/blog/2010/02/slew_of_homicide_arrests_inclu.html Since this is the RISKS Forum, I felt at first compelled to come up with a piquant observation about the erosion of privacy inherent in social network computing. But then I realized I'm missing the broader issue. It's not our role as scientists and practitioners to complain about how "the times they are a-changin'" -- it's to ask questions like "was Begett aware when she accepted the friending request that the action would be visible to her boyfriend, and if she was not aware then how could that consequence have been conveyed better by Facebook or other entities?" The RISK to me (whom a student called "tragically uncool" due to my apparent underuse of social networking media) is missing an opportunity to do something about a problem simply because I don't like the problem. ------------------------------ Date: Wed, 24 Feb 2010 09:30:43 -0500 From: Monty Solomon <monty_at_private> Subject: Google: Serious threat to the web in Italy Serious threat to the web in Italy, 24 Feb 2010 In late 2006, students at a school in Turin, Italy filmed and then uploaded a video to Google Video that showed them bullying an autistic schoolmate. The video was totally reprehensible and we took it down within hours of being notified by the Italian police. We also worked with the local police to help identify the person responsible for uploading it and she was subsequently sentenced to 10 months community service by a court in Turin, as were several other classmates who were also involved. In these rare but unpleasant cases, that's where our involvement would normally end. But in this instance, a public prosecutor in Milan decided to indict four Google employees -David Drummond, Arvind Desikan, Peter Fleischer and George Reyes (who left the company in 2008). The charges brought against them were criminal defamation and a failure to comply with the Italian privacy code. To be clear, none of the four Googlers charged had anything to do with this video. They did not appear in it, film it, upload it or review it. None of them know the people involved or were even aware of the video's existence until after it was removed. Nevertheless, a judge in Milan today convicted 3 of the 4 defendants - David Drummond, Peter Fleischer and George Reyes - for failure to comply with the Italian privacy code. All 4 were found not guilty of criminal defamation. In essence this ruling means that employees of hosting platforms like Google Video are criminally responsible for content that users upload. We will appeal this astonishing decision because the Google employees on trial had nothing to do with the video in question. Throughout this long process, they have displayed admirable grace and fortitude. It is outrageous that they have been subjected to a trial at all. ... http://googleblog.blogspot.com/2010/02/serious-threat-to-web-in-italy.html ------------------------------ Date: Mon, 22 Feb 2010 12:44:10 -0800 From: Gene Wirchenko <genew_at_private> Subject: Fault-Tolerance as a Risk Tim Greene, *IT Business*, 22 Feb 2010 Kneber botnet -- a multi-headed hydra that's wreaking havoc The most sinister aspect of the Kneber botnet is its interaction with other malware networks, suggesting a symbiotic relationship that ultimately makes each bot more resistant to being dismantled. http://www.itbusiness.ca/it/client/en/home/news.asp?id=56499 At the bottom of the first page of the article are these two paragraphs: 'What he found is that more than half the 74,000 compromised computers -- bots -- within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again, "At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts," he says in his written analysis of the Kneber botnet.' ------------------------------ Date: Mon, 22 Feb 2010 13:37:37 -0800 From: Gene Wirchenko <genew_at_private> Subject: School District Spying on Students at Home? http://news.cnet.com/8301-30977_3-10457077-10347072.html Students'-eye view of Webcam spy case The first two paragraphs: 'Students at Herriton High School in Lower Merion School District near Philadelphia are given Apple MacBook laptops to use both at school and at home. Like all MacBooks, the ones issued to the students have a Webcam. And, in addition to the students' ability to use the Webcam to take pictures or video, the school district can also use it to take photographs of whomever is using the computer. In a civil complaint (PDF) filed in federal court, a student at the school, Blake Robbins, said he received a notice from an assistant principal informing him that "the school district was of the belief that minor plaintiff was engaged in improper behavior in his home, and cited as evidence a photograph from the Webcam."' It is apparently worse than that: http://www.infoworld.com/d/adventures-in-it/when-schools-spy-their-students-bad-things-happen-474?source=IFWNLE_nlt_notes_2010-02-22 InfoWorld Home / Adventures in IT / Robert X. Cringely Notes from the Field February 22, 2010 When schools spy on their students, bad things happen Pennsylvania's Lower Merion School District thought it was clever to use webcams to track its students' MacBooks -- boy, were they mistaken Savanna Williams, a statuesque sophomore at Harriton, appeared on CBS's "The Early Show" with her mother, talking about how she takes her school-supplied notebook everywhere -- including the bathroom when she showers. If that doesn't give you a strong mental image of the potential for abuse, nothing will. For a thoroughly creepy demonstration of how another school, the Bronx's IS 339, spies on its students using webcams, check out this video. Assistant Principal Dan Ackerman cheerfully shows how he watches sixth and seventh graders in real time without their knowing it while they preen in front of an app called Photo Booth. Photo Booth is always fun... a lot of kids are just on it to check their hair, do their makeup, the girls, you know. They just use it like it's a mirror... They don't even realize that we're watching...I always like to mess with them and take a picture. At least he's doing it on school grounds and not in their bathrooms." ------------------------------ Date: Tue, 23 Feb 2010 17:54:09 -0500 From: fjohn reinke <fjohn_at_private> Subject: A Message from Ric Edelman about data lost Begin forwarded message: > From: "Edelman Financial" <client_at_private> > Date: February 23, 2010 4:58:14 PM EST > Subject: A Message from Ric Edelman Dear fjohn and Evlynn: For the past two years we have been distributing news, reviews and other important information to you via email. By bypassing the postal service we are able to contact you more easily, quickly and cheaply --- which improves speed and helps us control expenses. Email also allows you to respond to us more easily and quickly, too, resulting in faster and better service. The vendor we use for sending you my updates and other non account-related communications is iContact. We have just been informed that email addresses have been stolen from iContact's system, possibly by one of their former employees. iContact is working with law enforcement officials on the matter and has not yet determined the extent of the theft. At this time, your email address may or may not have been involved. Because we do not provide iContact with anything other than email addresses and names, your personal information remains safe. It was not possible for the thief to obtain addresses, account numbers or any personal financial data. The worst case is that you might notice an increase in the amount of spam that you receive. [...] My best regards, Ric Edelman, Chairman & CEO, 888-752-6742 [I invite you to read my blog "Reinke Faces Life", visit my sites (all listed at http://krunchd.com/reinkefj), and use whatever you need. Join me (reinkefj) on LinkedIn, Facebook, Plaxo, and / or follow me on Twitter. Remember the adage "first seek to help; then be helped".] ------------------------------ Date: Tue, 23 Feb 2010 15:45:28 -0600 From: "Richard I. Cook, MD" <rcook_at_private> Subject: Nationwide Technetium shortage: coinciding reactor failure/maintenance > Subject: Clinical Update: Nationwide Technetium shortage memo..[] > Date: Tue, 23 Feb 2010 ##:##:## -#### > From: Big University Hospital On 14 May 2009 the NRU Reactor in Canada was shut down due to a heavy water leak for repairs. This has impacted approximately 40% of the world's supply of Mo-99. Consequently, this has created a nationwide shortage of Tc99 which is used in 80% of nuclear medicine imaging procedures. On 19 Feb 2010 the High Flux Petten Reactor in the Netherlands will be shut down for approximately 6 months for repairs further exasperating the already acute shortage. In the coming weeks it may be necessary to adjust schedules to cope with the cyclical nature of the remaining supply of Tc99 from our commercial radiopharmaceutical providers. Typically, our providers will have a more ample supply in the beginning and end of the week, with seriously depleted availability Tuesdays and Wednesdays as a result. Even further complicating the matters, all five major medical isotope reactors will be off-line for approximately two weeks in mid-March for routine maintenance. There is a strong possibility there may be no product available during certain days during those two weeks. We will be doing everything we can to minimize the impact of this shortage to our patients including reducing our normal radioactive doses, switching to protocols that can conserve our supply of Tc99 and possibly using alternative radioisotopes when clinically applicable. We hope to continue to serve our faculty and our patients as efficiently as possible during this crisis. If you have any questions, please feel free to contact... We appreciate your understanding during this shortage. - - - - Technetium-99m is a short half-life gamma emitter that is used extensively in nuclear imaging, especially in nuclear cardiology where is the mainstay of stress-test imaging. It's short half-life makes it ideal for diagnostic studies; a small dose of Tc-99m containing tracer can be given to a patient for a high-quality imaging study with the radioactivity falling to virtually nothing within a day. The isotope is produced continually as a decay product of Molybdenum-99 which has a half-life about 10x as long. The great benefit of the short half-life of the metal imposes a hard physical limit on its use: it is essential that newly isolated TC-99 be used within a few hours of its production -- there is no way to store it. The radiation exposure from a routine TC-99m heart exam is 250 to 500 x that from a routine chest x-ray. As many as 4 million people undergo such testing in the U.S. each year. The present trouble is the result of a long and complex chain of events. The main Mo-99 production reactor, located in Canada and operated by Atomic Energy of Canada Limited (AECL), was shut down in early 2009 after a containment vessel leak was discovered. Repairs are proceeding slowly. Two replacement reactors were constructed and commissioned but have never used for production because of technical problems and because AECL determined in early 2008 that they would have been too expensive to run. Unrelated to the Canadian outage, a major European source in Holland as shut down in 2008 because of corrosion problems. It was expected to restart this month but this has been pushed back to "the second half" of August 2010. Several news sources are reporting that the Maria Polish reactor will be used to produce medical isotopes, although there are obstacles that may delay availability further. A combination of factors have generated the high degree of dependency on a few, old reactors. The cost of designing, certifying, building, and commissioning a new reactor is high and operating them has proven far more expensive than was expected. Concerns about the security for reactors have increased greatly in the wake of 9/11. Radiopharmaceutical production is not a growth industry -- indeed advances in non-radioactive imaging show great promise and may replace the older methods within a decade. No one wants to spend the huge amount of money needed to build a new reactor to serve a declining market share. The use of the Maria reactor, which was constructed in 1970 and renewed in 1986, for this purpose makes sense on a marginal cost basis: you have a reactor than can do this and no one else does, why not take advantage of the brief window of opportunity afforded by fate? A spin-off of the shortage is that it creates an incentive for the quick use of available Tc-99m. Rather than allowing substantial amounts of Tc-99m to simply decay before use, look for nuclear medicine programs to seek rigid control of exam timing and to book patients "standby" to assure that all of the available material gets used each day. What does this have to do with RISKS? Not a thing. For once, the problem is not related to the computers for these reactors, many of which are ancient devices that only augment the manual and conventional automation that controls the reactors! R.I.Cook, MD ------------------------------ Date: Fri, 19 Feb 2010 21:04:19 -0500 From: David Evans <evans_at_private> Subject: IEEE Symposium on Security and Privacy: 30th anniversary 31st IEEE Symposium on Security and Privacy, 16-19 May 2010 The Claremont Resort, Berkeley/Oakland, California Advance Program Sunday, 16 May 2010 4-7pm Registration and Welcome Reception Monday, 17 May 2010 8:30-8:45 Opening Remarks Ulf Lindqvist, David Evans, Giovanni Vigna 8:45-10:00 Session 1: Malware Analysis Chair: Jon Giffin, Georgia Institute of Technology Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens Kolbitsch (Vienna University of Technology), Thorsten Holz (Vienna University of Technology), Christopher Kruegel (University of California, Santa Barbara), Engin Kirda (Institute Eurecom) Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors Matt Fredrikson (University of Wisconsin), Mihai Christodorescu (IBM Research), Somesh Jha (University of Wisconsin), Reiner Sailer (IBM Research), Xifeng Yan (University of California, Santa Barbara) Identifying Dormant Functionality in Malware Programs Paolo Milani Comparetti (Technical University Vienna), Guido Salvaneschi (Politecnico di Milano), Clemens Kolbitsch (Technical University Vienna), Engin Kirda (Institut Eurecom), Christopher Kruegel (University of California, Santa Barbara), Stefano Zanero (Politecnico di Milano) 10:20-noon Session 2: Information Flow Chair: David Molnar, Microsoft Research Redmond Reconciling Belief and Vulnerability in Information Flow Sardaouna Hamadou (University of Southampton), Vladimiro Sassone (University of Southampton), Catuscia Palamidessi (École Polytechnique) Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P.S. Rocha (Eindhoven University of Technology), Sruthi Bandhakavi (University of Illinois at Urbana Champaign), Jerry I. den Hartog (Eindhoven University of Technology), William H. Winsborough (University of Texas at San Antonio), Sandro Etalle (Eindhoven University of Technology) Non-Interference Through Secure Multi-Execution Dominique Devriese, Frank Piessens (K. U. Leuven) Object Capabilities and Isolation of Untrusted Web Applications Sergio Maffeis (Imperial College London), John C. Mitchell (Stanford University), Ankur Taly (Stanford University) 1:30-2:45 Session 3: Root of Trust Chair: Radu Sion, Stony Brook University TrustVisor: Efficient TCB Reduction and Attestation Jonathan McCune (Carnegie Mellon University), Yanlin Li (Carnegie Mellon University), Ning Qu (Nvidia), Zongwei Zhou (Carnegie Mellon University), Anupam Datta (Carnegie Mellon University), Virgil Gligor (Carnegie Mellon University), Adrian Perrig (Carnegie Mellon University) Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically Matthew Hicks (University of Illinois), Murph Finnicum (University of Illinois), Samuel T. King (University of Illinois), Milo M. K. Martin (University of Pennsylvania), Jonathan M. Smith (University of Pennsylvania) Tamper Evident Microprocessors Adam Waksman, Simha Sethumadhavan (Columbia University) 3:15-4:55 Session 4: Information Abuse Chair: Patrick Traynor, Georgia Institute of Technology Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow Shuo Chen (Microsoft Research), Rui Wang (Indiana University Bloomington), XiaoFeng Wang (Indiana University Bloomington), Kehuan Zhang (Indiana University Bloomington) Investigation of Triangular Spamming: a Stealthy and Efficient Spamming Technique Zhiyun Qian (University of Michigan), Z. Morley Mao (University of Michigan), Yinglian Xie (Microsoft Research Silicon Valley), Fang Yu (Microsoft Research Silicon Valley) A Practical Attack to De-Anonymize Social Network Users Gilbert Wondracek (Vienna University of Technology), Thorsten Holz (Vienna University of Technology), Engin Kirda (Institute Eurecom), Christopher Kruegel (University of California, Santa Barbara) SCiFI - A System for Secure Face Identification Margarita Osadchy, Benny Pinkas, Ayman Jarrous, Boaz Moskovich (University of Haifa) 6:30pm Special Gala Event Celebrating the 30th Anniversary of Security and Privacy Master of Ceremonies: Peter G. Neumann Tuesday, 18 May 2010 9-10:15am Session 5: Network Security Chair: Cristina Nita-Rotaru, Purdue University Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig (Carnegie Mellon University) Revocation Systems with Very Small Private Keys Allison Lewko (University of Texas at Austin), Amit Sahai (University of California, Los Angeles), Brent Waters (University of Texas at Austin) Authenticating Primary Users' Signals in Cognitive Radio Networks via Integrated Cryptographic and Wireless Link Signatures Yao Liu, Peng Ning, Huaiyu Dai (North Carolina State University) 10:15-10:45 Session 6: Systematization of Knowledge I Chair: Z. Morley Mao, University of Michigan Outside the Closed World: On Using Machine Learning For Network Intrusion Detection Robin Sommer (ICSI/Lawrence Berkeley National Laboratory), Vern Paxson (ICSI/University of California, Berkeley) All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) Thanassis Avgerinos, Edward Schwartz, David Brumley (Carnegie Mellon University) State of the Art: Automated Black-Box Web Application Vulnerability Testing Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell (Stanford University) 1:45-3:00 Session 7: Secure Systems Chair: Jonathan McCune, Carnegie Mellon University A Proof-Carrying File System Deepak Garg, Frank Pfenning (Carnegie Mellon University) Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin (Carnegie Mellon University), Sagar Chaki (Carnegie Mellon University), Anupam Datta (Carnegie Mellon University), Arvind Seshadri (IBM Research) HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang (North Carolina State University) 3:20-4:10 Session 8: Systematization of Knowledge II Chair: Ed Suh, Cornell University How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation Elie Bursztein, Steven Bethard, John C. Mitchell, Dan Jurafsky (Stanford University), Céline Fabry Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan M. McCune, Adrian Perrig (Carnegie Mellon University) 4:30-5:30 Short Talks Short Talks Chair: Angelos Stavrou, George Mason University 5:45-7:30pm Reception and Poster Session Poster Session Chair: Carrie Gates (CA Labs) Wednesday, 19 May 2010 9-10:15am Session 9: Analyzing Deployed Systems Chair: J. Alex Halderman, University of Michigan Chip and PIN is Broken Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond (University of Cambridge) Experimental Security Analysis of a Modern Automobile Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno (University of Washington), Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage (University of California, San Diego) On the Incoherencies in Web Browser Access Control Policies Kapil Singh (Georgia Institute of Technology), Alexander Moshchuk (Microsoft Research), Helen J. Wang (Microsoft Research), Wenke Lee (Georgia Institute of Technology) 10:45-noon Session 10: Language-Based Security Chair: David Brumley,Carnegie Mellon University ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich (University of California, Berkeley), Benjamin Livshits (Microsoft Research) TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang (Peking University), Tao Wei (Peking University), Guofei Gu (Texas A & M University), Wei Zou (Peking University) A Symbolic Execution Framework for JavaScript Prateek Saxena, Devdatta Akhawe, Steve Hanna, Stephen McCamant, Dawn Song, Feng Mao (University of California, Berkeley) noon-12:15 Closing, Ulf Lindqvist, David Evans, Giovanni Vigna Thursday, 20 May 2010 Workshops (separate registration required): * Systematic Approaches to Digital Forensic Engineering * Workshop on Security and Privacy in Social Networks * W2SP 2010: Web 2.0 Security & Privacy ------------------------------ Date: Thu, 18 Feb 2010 23:42:37 -0800 From: "Kalin Tyler" <ktyler_at_private> Subject: FOSE 2010 You are well aware of the challenges we as a CyberSecurity community face from rapid changes in the technology landscape. FOSE 2010 is the place to discover opportunities and solutions along with changing expectations for government IT professionals. Register today for the FOSE 2010 experience http://www.fose.com. If you sign up now you also get a 10% discount on a conference pass. You can redeem this discount here http://cli.gs/FOSE10. You can expect: - 3 days of IT resources helping you navigate today's shifting tech landscape - 2 full conference days packed with education on emerging technologies, trends, and new improvements to existing solutions - Thousands of products on the FREE* EXPO floor allowing you to gain one-on-one insight into the capabilities of our exhibitors through demos, theater presentations and FREE Education. - Attend the Accenture CyberSecurity Pavilion or Focus on Digital Forensics. *FOSE is a must-attend free show for government, military, and government contractors. It's time to register and reserve your place at FOSE today! Visit http://www.fose.com to learn more about what FOSE has to offer, or redeem your 10% discount by registering here: http://cli.gs/FOSE10. Kalin Tyler, ktyler_at_private, FOSE Team/Tuvel Communications Connect with FOSE Twitter: http://twitter.com/FOSE Facebook: http://cli.gs/85RgD5 LinkedIn: http://cli.gs/Vn8mMQ GovLoop: http://www.govloop.com/group/fose ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.95 ************************Received on Sun Feb 28 2010 - 06:03:14 PST
This archive was generated by hypermail 2.2.0 : Sun Feb 28 2010 - 07:01:29 PST